I have splunk logs which will give the ExpiryDate in search result based on the value of the result, need to configure an alert before the 10days of expirydate
Splunk result will be
Expiry Date: 12-28-2019
Thanks in Advance
Assuming ExpiryDate is in the text format you show, this should do it. If it's in epoch form then you can omit the strptime command.
<your current search> | eval eExpiryDate=strptime(ExpiryDate, "%m-%d-%Y")
| eval sevenDaysHence=relative_time(now(), "+7d")
| where eExpiryDate < sevenDaysHence
Related
I have such events:
something
<operation>abc</operation>
<timeSent>2022-01-22T02:55:58.002Z</timeSent>
<operation>def</operation>
<timeSent>2022-01-21T13:09:18.333Z</timeSent>
What I now want to get is the timestamp of every event and the last timestamp (i. e. the maximum timestamp of the timeSent-timestamps).
I tried this:
rex field=_raw "timeSent>(?<timeSent>[T:0-9-.]+)Z<"
| stats max(_time) as Responsetime, min(timeSent) as Requesttime
But this only gives me the maximum timestamp of all of the observed timestamps and the minimum of all timeSent-timestamps. Moreover, I have the problem that I have on the one hand a different format for the timestamps and also different timezones. How could I solve this in order to compute the difference of Responsetime and Requesttime?
Timestamps have to be converted into epoch (integer) form before they can be compared. Do that with the strptime() function.
rex field=_raw "timeSent>(?<timeSent>[T:0-9-.]+)Z<"
| eval timeSent = strptime(timeSent, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| stats max(_time) as Responsetime, min(timeSent) as Requesttime
2020-12-07 23:57:10,160 INFO [+] Number of fetched Availability to publish to Gcp PubSub topic. [ClassUnitKey=BU-STO-460] [NumberOfMessages=95] , [bsName="BsRunBatch"], [userId="S-OLB-U-ITSEELM"], [userIdRegion="EU"]
As the above splunk log message , How to find the sum of [NumberOfMessages=95] field value in a hourly basis. I have written as below
| timechart span=1h sum(NumberofMessages)
Its not giving the desired result. The below result i got
try this:
| bin _time span=1h | stats sum(NumberofMessages) by _time
timechart can overwrite your span depending on your time window
I have a search string like below:
index=qrp STAGE IN (ORDER_EVENT)
| bucket _time span=1h
| timechart useother=f span=1h sum(TRADES) as "TradeCount" by ODS_SRC_SYSTEM_CODE
| fillnull value=0
And this is currently giving me aggregates of trades for multiple source systems from the stage table Trade event in a tabular format for every hour of the day.
I need to search exactly for the time frame 8am every day, whether the value of sun of trade for all source systems in the table is equal to zero. How to add the condition to check the column value is Zero or not?
Your help is much appreciated.
You can use the where command to test the value of a field.
... | where TradeCount == 0
One of the things I'm using Splunk to monitor is electricity usage, one of the fields indexed is the accumulative Kw value for the day, how can I get the last value for the day for a given timespan? So output the total Kw for each day for a month - I've tried using
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart last(live_day_kw) as Kw
but for the data I have it seems to be adding each day together so its increasing day on day and not daily values, so for example day1 is 7kw and day2 is 14kw and day3 is 21kw - I'd expect it to be ~7kw a day. Also just checked and the live_day_kw value does reset to zero at midnight
Not quite sure of what you're looking for, but maybe this will help.
host=Electricity earliest=-4w#w1 latest=+w#w1 | timechart span=1d last(live_day_kw) as Kw
For the benefit of those looking for the same solution I managed to solve it thus:
host=Electricity earliest=-4w#w1 | timechart latest(live_day_kw) as "Kw_Day" | eval Kw_Day = round(Kw_Day,2)
Also needed the search set to 'month to date' and it get exactly what I needed.
I am trying to build a reminder application using c# and, i want to employee the concept of repeat in my application [no repeat, daily, weekly ... ], but the problem i am facing is that how i shall store this reminder in the database.
I tried to duplicate the reminder and change it's date, but what if it has no end date then this one doesn't seem a very smart idea. And then i tried to keep one record in the database and when ever the date becomes past in case it's a repeated it modify the date to the next one, but here i facing the problem of how i search for reminders in a specific days. I wondered if there is a way that SQL can duplicate a record between two dates temporarily for the search.
So i am almost out of ideas right now, any help?!
I don't think you should change any data dynamically in the reminder records. You should add a variable called "remDayOfWeek" to the database -- this will be the day of the week that the user started if the user is to be reminded weekly. Let's say you scan once a day for users that need reminders. All users with daily reminders will need reminders. For users with weekly reminders, all those with "remDayOfWeek" equal to the current day of the week will get a reminder.
OK what I would suggest, is this:
Don't create individual reminders for each day you need a reminder. Give the DB the reminder, start/end dates, and the periodicity of the check (daily, weekly, monthly), and another column to keep track of the last time the user saw a reminder.
something like:
column: | ID | title | Desc | Start | End | Period | lastCheck |
---------------------------------------------------------------------------------------
type: | INT | varchar(100) | varchar(300)| Date | Date| INT (or Enum)| Date
The whole idea is, if the user skips a day you don't need to remind them twice, and you don't really care about what happened to expired reminders, just the most recent.
Assuming the following:
no-repeat = 0
daily = 1
weekly = 2
monthly = 3
you could pull all the reminders you need for a particular date by using: (assuming SQL Server, you didn't specify)
SELECT * FROM Reminder
WHERE (GetDate() BETWEEN Start AND End)
AND ((Period = 0 AND lastChecked IS NULL)
OR (Period = 1 AND GetDate() > DATEADD(day,1,lastChecked))
OR (Period = 2 AND GetDate() > DATEADD(week,1,lastChecked))
OR (Period = 3 AND GetDate() > DATEADD(month,1,lastChecked)));
If you want the reminder to be 24 hours/1 week/1 month exactly from the last time checked that will be fine. otherwise use CONVERT (date, GETDATE()) to ignore the time the user checked.
Finally, update lastChecked to the current time after the user dismisses a reminder.